Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-3180
HistoryAug 03, 2023 - 12:00 a.m.

CVE-2023-3180

2023-08-0300:00:00
ubuntu.com
ubuntu.com
9
qemu
virtual crypto device
data encryption
decryption
virtio_crypto_handle_sym_req
heap buffer overflow.

CVSS3

6.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

EPSS

0

Percentile

5.1%

A flaw was found in the QEMU virtual crypto device while handling data
encryption/decryption requests in virtio_crypto_handle_sym_req. There is no
check for the value of src_len and dst_len in
virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow
when the two values differ.

Bugs

Notes

Author Note
mdeslaur introduced in 2.8.0
OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchqemu< anyUNKNOWN
ubuntu20.04noarchqemu< 1:4.2-3ubuntu6.28UNKNOWN
ubuntu22.04noarchqemu< 1:6.2+dfsg-2ubuntu6.16UNKNOWN
ubuntu23.04noarchqemu< 1:7.2+dfsg-5ubuntu2.4UNKNOWN

CVSS3

6.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

EPSS

0

Percentile

5.1%